Cookie Banner Requirements in the Netherlands (2026)

The AP (Autoriteit Persoonsgegevens) has been enforcing cookie banner rules since 2024 with a dedicated annual enforcement budget. In April 2025, warning letters went out to more than 200 organisations. More than half of monitored Dutch websites violate the rules.

This guide covers exactly what a compliant Dutch cookie banner must look like, what makes a banner non-compliant, and what the AP has fined businesses for.

The Legal Framework

Cookie consent in the Netherlands comes from two sources:

1. Telecommunications Act (Telecommunicatiewet), Article 11.7a — requires consent before placing non-essential cookies on a visitor's device
2. GDPR, Article 6(1)(a) and Article 7 — defines what valid consent looks like

Both apply simultaneously. A cookie banner must satisfy both the Telecommunications Act's consent requirement and the GDPR's validity standards.

The 9 AP Rules for Cookie Banners

The AP published these requirements as binding guidance:

Rule 1: No cookies before consent

Tracking scripts must not load until after the visitor has made a choice. The banner must appear before any analytics, advertising, or social media scripts execute. Loading scripts while the banner is visible — before any button is clicked — violates this rule.

Technically: no GTM container that loads third-party tags should fire before consent. Consent must be captured first.

Rule 2: Reject must be as easy as accept

The reject option must have the same visual prominence and require the same number of clicks as the accept option. Specifically prohibited:

• Large green "Accept all" button paired with small grey "Manage preferences" text link
• Single-click "Accept all" with multi-click rejection (requiring the user to deselect each category)
• A banner with only an "Accept" button and a link to settings buried in the UI

Both accept and reject must be primary buttons, equally visible.

Rule 3: No pre-ticked boxes

When the banner shows consent options by category, non-functional categories (analytics, advertising, personalisation) must be unticked by default. The visitor must actively opt in — not opt out.

Kruidvat was fined specifically for pre-ticked boxes. Coolblue was fined for automatically accepting cookies when a user clicked "continue" through the banner.

Rule 4: No cookie walls

You may not require visitors to accept cookies as a condition of accessing your website. This applies to paywalls that offer a choice of "accept cookies or pay" — the AP considers this equivalent to a cookie wall if the accept-cookies option is the default or the subscription price is set to be prohibitively high.

The AP's normative guidance on cookie walls (March 2019) explicitly prohibits this. It has been consistently enforced since.

Rule 5: Consent must be specific per category

A blanket "I accept all cookies" is permitted as an option, but users must also be able to accept or reject by category (analytics, advertising, personalisation). You cannot bundle all non-functional cookies into a single all-or-nothing choice.

Rule 6: Consent must be freely given

Consent is not valid if it is obtained under pressure or through manipulative design (dark patterns). See our guide on cookie banner dark patterns for a full taxonomy.

Rule 7: Consent must be informed

The banner must clearly identify who is placing cookies and for what purpose. Listing "advertising partners" without naming them is insufficient. The banner or a linked page must provide enough information for the visitor to make an informed choice.

Rule 8: Withdrawal must be as easy as giving consent

Users must be able to withdraw consent at any time. A preference centre or settings link must be accessible from every page — not just from the initial banner. The withdrawal mechanism must require the same number of clicks as the original consent action.

Rule 9: Consent must be recorded

You must be able to demonstrate that consent was given, when, and for what. This means storing a consent record with: timestamp, version of the banner shown, categories accepted. Do not store the full cookie consent record in a way that links it to a persistent user profile built before consent — that would itself be a cookie placed without consent.

What Gets Businesses Fined

The AP's fine decisions provide a clear picture of the most common violations:

Kruidvat (AS Watson) — €600,000 (reduced to €50,000 on appeal)

• Pre-ticked consent checkboxes
• Tracking cookies loaded before consent was obtained
• The reject path required significantly more interaction than accept

Coolblue — €40,000

• Pre-ticked consent boxes
• Clicking "continue" on the banner automatically accepted cookies
• No genuine equal choice between accept and reject

Consent Mode and Google Analytics

Google's Consent Mode v2 attempts to address consent management by adjusting what Google Analytics and Google Ads collect based on consent status. However, Consent Mode is not a substitute for a compliant banner.

With Consent Mode:

• If the visitor accepts: full tracking proceeds
• If the visitor rejects: Google uses modelled data (behavioural modelling to fill gaps)

Important: even with Consent Mode v2, Google still receives some signals even when consent is rejected. Whether this satisfies the Dutch Telecommunications Act's consent requirement is debated. The safest interpretation: Consent Mode reduces data collection on rejection, but the consent banner itself must still meet all AP requirements. Consent Mode does not fix a non-compliant banner.

Technical Checklist for a Compliant Dutch Cookie Banner

Use this to audit your current implementation:

Before any banner interaction:

• No analytics scripts have loaded
• No advertising pixels have loaded (Facebook, Google Ads)
• No social media embeds have loaded
• No heatmap or session recording tools have loaded

Banner design:

• Reject is a primary button, equal in size and prominence to Accept
• No pre-ticked checkboxes for non-functional categories
• All categories are unticked by default
• No cookie wall — website is accessible without accepting

Banner content:

• Identifies your organisation as the data controller
• Lists categories of cookies and purposes
• Links to your privacy policy
• Links to full cookie details / list of specific cookies

After consent:

• Scripts only load for categories the user accepted
• Consent choice is saved so user is not asked again on return
• Consent record stored (timestamp, version, categories)

Ongoing:

• Users can access a preference centre to change their choice
• Preference centre is accessible from every page (footer link or button)
• Withdrawing consent stops ongoing tracking immediately

Recommended Cookie Management Platforms

For Dutch market compliance, these platforms are commonly used:

• CookieYes — Dutch-law aware, customisable
• Usercentrics — enterprise-grade, used by larger Dutch organisations
• Iubenda — multi-jurisdiction support
• Cookiebot (Usercentrics) — automated cookie scanning + banner management
• Complianz — WordPress plugin popular in the Netherlands
• CookieFirst — Dutch company, built specifically for Dutch/EU compliance

The platform is only as good as its configuration. Even a reputable CMP can be configured non-compliantly if reject isn't given equal prominence to accept.

Self-Implementation Considerations

If you are managing consent without a third-party CMP, you need to ensure:

1. Tags and scripts are blocked server-side or via a tag manager until consent is captured
2. Consent state is persisted across pages and sessions
3. Consent can be revoked and revocation immediately stops scripts from loading
4. The consent record is stored in a way that does not itself require consent

Most implementations use a tag manager (Google Tag Manager with consent mode, or a privacy-focused alternative) combined with a consent banner that signals consent state.

Checking Your Banner

To verify your banner works correctly:

1. Open your website in an incognito window
2. Before clicking anything, open developer tools → Network tab
3. Look for requests to google-analytics.com, facebook.com, or other tracking domains
4. If any appear before you interact with the banner, your banner is non-compliant

For automated testing, our open-source @trustyourwebsite/cookie-consent-validator checks whether your banner actually stops tracking after rejection.

---

This article is technical analysis, not legal advice. Consult a lawyer for advice specific to your situation.